How to collect all Microsoft Defender ATP events

• Preface
• Stream the events to Azure Event Hub & Use the Azure Connector to collect it
• Stream the events to Azure Storage Account & Use the Custom Application Connector to collect it

NOTE

This method collects all the events generated by Defender ATP

If you're interested in collecting only the alerts generated by Defender ATP then use the Azure Connector's Security Center endpoint.

See: https://support.skyformation.com/hc/en-us/articles/115001268274-SkyFormation-for-Azure-Cloud-Connector-Overview

Preface

Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. For more information about Microsoft Defender Advanced Threat Protection, see here.

If your organization utilizes this tool, you might want to collect its data into your SIEM for various reasons.

There are two methods supported to collect these events. We will cover both, so you can choose whatever suites your organization’s needs

Stream the events to Azure Event Hub & Use the Azure Connector to collect it

This method utilizes Microsoft Defender ATP’s capability to stream its events to Azure Event Hub.

1. Follow this guide to set up event streaming to a dedicated Azure Event Hub

2. If you already have an Azure connector setup in your Cloud Connectors instance, which collect data from the subscription in which the Event Hub was set up - force it to refresh it’s list of Event Hubs in your Azure deployment

   1. Stop the Azure connector via the UI - go to Setting > Accounts > Click “STOP” on the relevant Azure connector
   2. Wait 1 minute
   3. Start the connector. Wait about 5 minutes for the connector to explore your deployment and identify all Event Hubs

3. If you do not have an Azure connector setup, follow this guide to onboard it, start it, and wait Wait about 5 minutes for the connector to explore your deployment and identify all Event Hubs

4. Follow this guide; select event type “Pass-thru” to onboard the Event Hub to which the Microsoft Defender ATP events are streamed

5. Start the Event Hub endpoint in the connector

Stream the events to Azure Storage Account & Use the Custom Application Connector to collect it

This method utilizes Microsoft Defender ATP’s capability to stream its events to Azure Storage Account.

1. Follow this guide to set up event streaming to a dedicated Azure Storage Account
2. Follow this guide to setup the Storage Account for data collection by the Cloud Connector, and onboard a new Custom Application Connector (this guide) in your Cloud Connectors deployment
3. Start the newly on-boarded connector